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(L) Real Party In Interest 

The real parly in interest in the above application is Mazts Networks, Inc. 
(ii.) Related Appeals and Interferences 

The appellant is not aware of any appeals or interferences related to the above-identified 
patent application. 

(iii) Stains of" Claims 

This is an appeal from the decision of the Pnnu;> fsammc, fr a ! ru Office Uuon 
dated Jane 14. .7006 rejecting claims 1 -33 all "1 the «.Lmv u tV app jc.uum I k> elands h.n e 
been twice rejected. Claims 1 -33 are the subject of tins appeii 

(iv.) Status of Amendments 

Claim amendments filed on September I, 2006 were not entered.' The examiner 
eonsidered thai this amendment required further consideration and/or search, which in 
Appellants opinion is unfortunate, since it would have clarified issues on appeal. Appellant 
argues the claims without the un-entcred amendment, but will note fur the Board the 
discrepancies and correct language, which will be provided by amendment when the case is 
allowed. 

Appellant filed a Notice of Appeal on December 14, 2006. 

(v.) Summary of Claimed Subjeet Matter 
Background 

The invention relates to techniques to thwart network-related denial of service attacks, h 
denial u! service attacks, an attacker sends a large volume of malicious irafnc to a victim in an 
attempt to prevent the victim front responding to legitimate traffic. 
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^pclhrm ' ^ hn en tion 
Claim 1 

One aspect of Appellant's invention is set oat. in claim ] , as a method of protecting a data 
center against a denial of service attack. "Referring to FIG. i. an arrangement 10 to thwart 
denial of service attacks (DoS attacks) is shown." [Speciiieation page 4. lines 27-28] 

Inventive features of claim j include sending queries to data eoi lectors, deployed at 
different points in a network that carries network traffic to the data center, the data collectors 
collect statistical information on network packets sent over the network, "The data collectors 28 
are located inter alia at major peering points and network points oi presence (PoPs). The data 
collectors 28 sample packet irallic. accumulate, and eolleci statistical information about network 
flows." [Specification page 5, line 32 to page 6 line 4'j the queries to request the statistical 
information from at least some of the data collectors. "The control center queries data collectors 
28 and asks which data collectors 28 are seeing suspicious traffic being sent to the victim I ?..'" 
(Specification page 12, lines 16-1 S). 




Inventive features of claim 1 also include sending the statistical information from the data 
collectors in response to the queries. "Alternatively, die data collector can respond to queries 
concerning characteristics of traffic on the network. Typically, the queries can be for 
information pertaining to statistics." [Specification page 9, line 32 to page 10. line 3). 

Inventive features of claim 1 also include processing the statistical information to 
determine die source of suspicious network traffic sent to the data center, "The packets from the 
attacker will have faked source addresses that will be changing with time. However, the control 
center can issue a querv for this kind of packet by victim destination address. T he data collectors 
28 reply with the information collected. Based on thai collected information from the data 
collectors 28, the control center can then determine what data centers are performing the 
spooling on the victim 12." [Specification page- 1 2, lines 19-26). 



Claim 15 claims a method of protecting a victim data center against a denial of service 
attack. This feature generally finds support at least as the analogous feature of* claim 1 . 
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inventive features of claim 15 include receiving packer with taked, random source 
addresses. "The packers from the attacker will have faked source addresses that will be changing 
with lime." (Specification page 12, lines 1 9-20]. 

inventive features of claim 15 also include receiving, from a gateway disposed near the 
victim data center, a notification that the victim data center is under an attack. "The gateway 2t» 
at the victim 1 2 contacts the control center and notifies the control center 24 that the victim 12 
data center is under a spoofing attack.'" [Specification page 12, lines 8-10]. 

Inventive features of claim 15 also include sending queries to data collectors deployed at 
different points m u network that carries network traffic to the victim data center, the data 
collectors to sample network packets and collect statistical information on network packets sent 
over the network, the queries being requests for statistical information from data collectors that 
have examined network traffic with the victim destination address. This feature generally finds 
support at least as the analogous feature of claim 1 . 

Inventive features of claim 15 also include determining the data center or centers 
involved in the attack on the victim data center by analyzing collected statistical information 
from the data collectors. This feature generally finds support at least as the anak-^ou^ io thae ot 
claim I . 

Claim 20 

Claim 20 claims a system to thwart denial of service attacks on a vk nr d. t \ i.r.c- I his 
feature generally finds support at least as the analogous feature of claim I . 

Inventive features of claim 20 include a plurality of monitors dispell. l!Tv>,s»H> p \ 
network, the monitors eolleenng statistical data on network traffic. This fcL.ti.-e gene a U liuh 
support at least as the analogous feature of claim 1 and by "Gateways 26 an J uuta .et^s 2s 
are types ol momiors that monitor and collect statistics on network traffic." I s - pi o 1« c u> t p<>»>o 
5. lines 24-261. 

Inventive features of claim 2 1 also include a control center coupled to Jv p'au h.v .>{ 
data collectors, the s.-ontroi center executing a computer program product si rod oi. i ^empiric 
readablc medium. "The arrangement 1 0 to protect the victim includes a cow c *\t 1 i tl\r 



communicates with and controls gateways 26 and data collectors 28 disposed in the network 14." 
[Specification page 5, lines 17-20). 

Invent? ve features of claim 21 also include instructions to receive from the victim site a 
notification that the victim data center is under an attack. Tins feature generally finds support at 
least as the analogous feature of claim 1. 

Inventive features of claim 21 a] so include instructions to send queries to data collectors 
to request the .statistical information from the data collectors, the statistical information used 10 
determine the source of suspicious network traffic being sent to the victim. This feature 
generally finds support at least as the analogous feature of claim 1 . 

Inventive features of claim 2 1 also include a gateway device that passes network packets 
between the network and the victim data center, the gateway disposed to protect the victim data 
center, and being coupled to the control center. ''The gateway 26 devices arc located at the edges 
ui the Internet IT for instance, at the entry points of data centers. The gateway devices 
constantly analyze traffic, looking for congestion or traffic levels that indicate the onset of a DoS 
attack." ['Specification page 5. lines 28-32]. 

Claim29 

Claim 29 is directed to a computer program product residing on a computer readable 
media for protecting a victim data center against a denial oi service attack. 'The control center 
executes a computer program product stored on a computer readable medium." (Specification 

page 2, lines 23-24], 

Inventive features of claim 29 include instructions to receive a notification that the victim 
data center is under' an attack. This feature generally finds support at least as the analogous 
feature of claim i. 

Inventive features of claim 29 also include instructions to send queries to data collectors 
deployed at different points in a network that carries network traffic to the victim data center, the 
data collectors to sample network traffic and collect statistical information on packets sent over 
the network, the queries to request statistical information from data collectors that have 
examined network traffic with the victim destination address. This feature generally finds 
support at least as the analogous feature of claim I . 
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h ^ e ^ ! u ikN s J um a.\o include instructions to determine a source of the attack 
on the victim data center by analyzing collected information from the data collectors. This 
feature generally finds support at least as the analogous feature of claim I. 

tvi.) Grounds of Rejection to be Reviewed on Appeal 

1 . Claims 1.-12 and 1 5-33 stand rejected under 35 U.S C. 1 02(e). as being anticipated 
by Yavatkar et aL (Yavatkar) U.S. Patent No. 5,735, 707. 

2. Claims 13 and 14 stand rejected under 35 U.S.C. 103(a) as being unpatentable 
over Yavatkar et ah, '702 in view of Mill et a!., (Mill) U.S. Pal No. o\088 r S04. 

(Vii.) Argument 

Anticipation 

"It is well settled that anticipation under 35 U.S.C. § j 02 requires the presence in a single 
rcicrenee of ail of the. elements of a claimed invention," Ex pane Chopra, 229 U.S.P.Q. 230. 
231 (BPA&l 1985} and cases cited. 

"Anticipation requires the presence in a single prior art disclosure of all elements of a 
claimed invention arranged as in the claim." Conneil v„ Sears, Roebuck & Co., 220 U.S.P.Q. 
193, 198 (Fed. Cir. 1983). 

I vOan s *s xcpca*edi> -aateci the defaw o + ta^t, ' io i eh\ s o an kj ut» r ! 
can only be established by a single prior art reference which discloses each and every element of 
the claimed invention." Structural Rubber Prod. Co. v. J\irk Rubber Co., 223 U.S.P.Q. 1264, 
1270 (Fed. Cir. I9$4), citing five prior federal Circuit decisions since 1983 including Council. 

In a later analogous case the Court of Appeals for the f ederal Circuit again applied this 
rule in reversing a denial of a motion for judgment n.o.v. after a jury finding that claims were 
anticipated. James bury Corp. v, Litton- Industrial Prod, Inc., 225 U.S.P.Q. 253 (Fed Cir. 1985). 

Alter quoting from Comic!!, "Anticipation requires the presence in a single prior art 
disclosure of ail elements of a claimed invention arranged as in the elamv' 225 U.S.P.Q. at 256, 
the court observed that the patentee accomplished a constant tight contact in a ball val ve by a lip 
on the seal or ring which interferes with the placement of the ball. The lip protruded into the 
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yea a' ue f c k II wj 1 be t» -tor a. t v\ as tnus deflected after the bail was assembled into the 

valve. Because of this constant pressure, the patented valve was described as providing a 

particularly good seal when regulating a low pressure stream. The court quoted with approval 

irom a 1%7 Court of Claims decision adopting the opinion of then Commissioner and later 

Judge Donald E. Lane: 

[T]he term "engaging the ball" recited in claims 7 and 8 
means that the lip contacts the ball with sufficient force to 
provide a fluid tight seal **** The Saunders flange or lip 
only scaling!}- engages the ball 1 on the upstream side when 
die fluid pressure forces the lip against the ball and never 
seaiingly engages the bail on the downstream side because 
there is no fluid pressure there to force the lip against the 
ball. The Saunders sealing ring provides a compression 
ty pe of sea) which depends upon the ball pressing into the 
material ni the ring. *** The seal of Saunders depends 
primarily on the contact between the hall and the body of 
the scaling ring, and the flange or Hp scaling!;/ contacts the 
ball on the upstream side when the fluid pressure increases. 
225 U S.P.Q. at 253. 

ke\nv <v 'a,*i*h>>> the 1 1 < vud " \noapa* on ieijUK\> ookuv ' t'uo' „r 
con nsr igi'ieo.vC x Mae ^ PIk eh tence vuth ta„ daiuj> v I die po.eut i u \ <.,a r red dc>K. 
- nt\ p v\.d ri a -logic pn i a-1 .e.eicu i diM.io-.es ^ j me Cu s o: iie v. .\rv_d iror 
Hiiicd itieu«tri' .'<• i t -(w'. / 'oj'u <'>'<•' <'■>/< . <■ 
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Oovunisness 
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Ic i - ci «»k o o ult.uKOs show Jv \aiious elements suggested by the Examines in order to 
support a conclusion that it would have been obvious to combine the cited references, the 
references must cither expressly or impliedly suggest the claimed combination or the Examiner 
must present a convincing line of reasoning as to why one skilled in the art would have found the 
claimed invention obvious in light of the teachings of the references. Ex Parte Clapp. 227 
U.S.P.Q.2d 972. 973 (Board. Pat. Aup. & Inf. 983);' 

"The mere fact that the prior art could be so modified would not hove made the 
modilkation obvious unless the prior art suggested the desirability oi the modification " In re 
Cordon, 221 U.S.P.Q. i 175, 1127 {Fed. Cir. 198d). 

Although the Commissioner suggests that [the structure in die 
primary prior art reference) could readily be modified to form the 
| claimed) structure, "[t'Jhe mete fact that the prior art could be so 
modified would not have made the modification obvious unless the 
prior art suggested the desirability of the modification." hi re 
Laskm-skf, 10 U.S.P.Q. 2d 1397, 1398 (Fed. Cir. 1989;. 

"The claimed invention must be considered as a whole, and the question is whether there 
:s something m the prior art as a whole to suggest, the desirability, and thus the obviousness, of 
making the combination." Lindemmm Maschinanfabrik GMBH v. American Bain <t Derrick 
221 U.S.P.Q. 48!.. dS8 (Fed. Cir. 1984). 

Obviousness cannot be established by combining the teachings of 
the prior art to produce the claimed invention, absent some 
reaching or suggestion supporting the combination. Under Section 
1U3, teachings of references can be combined only ii there is some 
suggestion, or incentive to do so. ACS Hospital Systems, bux v, 
Montefiore t-faspiial, 221 U.S.P.Q. 979, 933 (Fed. Cir. 1984} 
{emphasis m original, footnotes omitted). 

"The critical inquiry is whether 'there is something m the prior art as a whole to suggest 
the desirability, and thus the obviousness, of making the combination.'" fromson v. Advance 
0(!sa Plate, inc., 225 U.S.P.Q. 26, 31 (Fed. Cir. 1985). 
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1, Yavatkar fails to anticipate Claims 1-12 and 
1.5-33. 

riS0I)5..LiS.and .1.0:14 

For the purposes of this appeal only, Claims i , 7, 8 and 10-14 stand or rail together. 
Claim 1 is represent alive of this group of claims. 

Claim 1 Is directed to a method of protecting a data center against a denial of service 
attack. One of the advantages of Appellant's disclosed and claimed invention is that a ;s 
operable to delect and stop attacks {known, us well as, new attacks) 2 , whereas, Yavatkar is only 
directed to finding a source of an attack, once the watchdog agent is notified that the data center 
is under attack/ 

Claim 1 is neither anticipated nur obvious over Yavatkar, .since Yavatkar neither 
describes nor suggests at least the features of . . , sending queries to data eoi lectors., deployed at 
d "■.■tent wuri- ct a netwojk the t,\tercs to request thy statistical information irom ai least 
some of die data collectors.,, and processing the statistical information to determine the source 
of suspicious network traffic sent to the data center. 

The examiner contends that Yavatkar teaches the sending feature at (col. 3 line 65 - col. 
A, line 23} and processing the statistical information to determine the source of suspicious 
network traffic sent to the data center at col. 5, lines 25 -37 and col. 1 $, lines 32-53, m winch 



" Tfce arrangement uses a distributed analysis emphasising the underlying charactensti.es of a DoS attack, i.e„ 
congestion and slow server response, to produce a robust and comprehensive DoS solution. Thus, this architecture 
10 can stop new attacks rather than some solutions that can only stop previously seen attacks. furthermore, the 
distributed architecture 10 will frequenUv stop an attack near its source, before it uses bandwidth on the wider 
Internet 14 or congests access Jinks to the targeted victim. 12. {Appellant's specification page 6, lines 9-18). 

* therefore them exists a need for a system and method allowing lor the distributed state of a network, such as 
-nf,vn\m<v „bou: ,«v,k 'i df\ to be qttickh and .Kuitateh oHk-tkd A •vwem and trvtii xi ate needed V ouiAi> 
and accurately diagnosing network attacks by determining information such as the source of, or a partial path of, 
attack traffic, t' Yavatkar Co]. 2. lines 44-5 1). 

The system and method of an exemplary embodiment of the present invention use agents-mobile software 
modules—to collect data on the state ofa network during a network attack, allowing for more accurate diagnosis of 
an attack. During a network attack, the system and method of die present invention allow for details on the attack 
traffic (e.g., the -source, of the attack- traffic and path of the attack traffic) to be gathered. The source of the attack 
t) ) i K xn i i i < 1 a u KltkMii ir l jnji)..u c i \\ \ t i t U ^<< 
j->d whKh is, !■} ,-Kct it.c sou'te v t atLid tr,itn> to the octvuiL "sadi miormalion tber iruo be us^d to \ S H :ae 
attack or insulate the network from the attack {Yavaikar Col. 3, fines 25-37) . 
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- jj.p's dcrVwc. ,n d-'Vtem nc-s oi tU netv,otk ,.t "hi. jVixW . i l J\k;jv<- u<< o' <• tm> ts 
.v wo'k j f t \- > o cL k>, c> kvtmg M.iTtstica. utothsJlh'-i i>i i p< rL u\r t »V) 4 

VopoCa.n cxr.ontK t <tt \ tUat {.it's to dtsdoc * haha uo. " lit t. r> - | 
oi eK'W K" l ieVt.-*. . i seaJ'uj; qaof to leijtvs toe ^Utw^a! .r.our r ois ,i\ roc t „v .i ; 



!a j» CM»ij)U<-v unsi(«hinti ( <>i ffii pn.",u>f >n\euf<ijn ,) wjn hd",> ,>«of 
vsotiiio^ ih- >i t ni* t >j! nhn.ii it f<pv.f<tk\ for tt aftK Ss.mos » iiar sUi iwit\ o! ,( 
'n i^.srx itiaci, \ >*<ifcf>d<jy .meat ma\ inoiufot lot and <kk>i.< < s nvlwm k ,hia ( k 
o( <i if> vju -it'itr than 'ti>; <t< nie u) lumii i< f>pu itcs Ui! (kseuias, a(- <iit.Kk ihc 
rt,ii(!!t!<>^ ,i»<-n l<u>iich%.-> ?<k or mote biowihouiui ,i«L»f , h> k 'tt tfie *it,uk is iihe 

> i .mjck <!• iKi«d, t .ii f) f }!tn«iffoif!Ki .ifiiiu ><i <ie\>_'fieii U. ir kc 0 itfti. it on <»<u p< 
■.I jtfa»k Si! j!) n>>mp! it\ inuWinrK ni a h<<K)d!u>uri.i a^nf nuno At ►•>*■., 

et^yiS if aune )Sk s p st'i <>r pint * lakou tn .itOnk t< ajiK lttti<iw «f,kk otitic 
f o i ioodhatimi a«,t.ni fothms in firrahu' pioios <>t tnu!>n<> tlu not 5 *t>r (h> iuik on 
six )»«U <i)5 « f iKh ,i opti *t><. nh ih is JcttjKi.i, ^iM % k •i4«tii tii(.m;>titis< t» 
»<im tst ih.ii Hfik u t , t<) oios* ta ftie «o<f(> oc t!x ciit m t» tin 'ink! ff a no* 
B("»t. i.t'i tnHt.f tin <u.v rnvdf »^4)« tindtfi^ tht pu>! <ir(> lt»k >vhut a't jx>i|fim« 

<! tiuinltu hi sudi ,t mdniHv tin p tlh t>r {Mth<- <>) a jH b >it hv paiii j> pdlfi*, 

of Jtfaik tiaft t b t <^.in iwn «>{ iht a»,Kk i litK KitMi.e ur^> tiwfo tiMS K 
iouna \itei id(Jnf>»H > mivh mSonnaiion < bifHnlhxuBt 1 du<-»i ujn^Cs th<. 
va'chtias, i{,ent sihuh. ■« Hon. r.t.n report to ^ httnMn ojK'iAtoi »{, j><.sMbi\ 
,mc-inpt *<> tiA\i tiu titack \ iais>et »wit n 4 tuxk td >*{iui' att itk HjiJu. in ih>- t >u«s 
or which attack tratiic affects.. 



t> ^ v> i\> i^not sed (U tu Ji*t> 4 ' t oh ,\^ix.k«T wid vl \dsi t ^o 1C0 hi« < Co ^ hi\ 
23). set forth bdow: 

Systems exist fi>r collecting information aboat network traffic. For example, to dejermme the 
node which i>. the source of attack traffic {or the gateway allowing such traffic snto a network, 
which in such a case may be considered a source) trod the path or paths taken by such traffic. » 
human opetator may access each link at a node receiving such traffic and aoalyxe the hicommg 
traffic miag a sniffer. A sniffer is a device which may record network statistics at a node. The 
operator may identify which of the physical links attached io the node is receiving a certain type or 
amount of traffic and ihen move to. the node on the other end of the identified link. The path or 
paths of traffic from the source or* the traffic may be found by traversing the network item tsode to 
nv-de, ir-!;;r m>- susffer jt each node tn a p.iih. ijmtl the $our:c is tea:'ied s^teh a dj.^Ti^MP is dov> 
and inaccurate, A similar analysis mav be perfomted from a centra! console which may query 
remote nodes for information about die source of incoming traffic. Such a- diagnosis is also slow 
and inaccurate, as it requires commands to nodes and responses from nodes to be transmitted 
across the network. 1'he speed at which attacks occur and ihe speed at which such problems mast 
be fixed makes such detection methods ineffecti ve, A path taken by traffic may be described as the 
equipment traversed by traffic as the traffic crosses a network or networks (e.g., a series of nodes' 
and links, or a series of sub-networks). 

Appellant contends that the snifter approach described by Yavatkar does not anticipate 
Appellant's claims either since inter alia the sniffer approach does not involve sending of queries or 
o 1 1 < U !i s il 1 **. tn UonifiA vtct) >\.sp>PSt t it \ I. quiM s 
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yavatkar tails to disclose the feature of .sending queries ... to request the statistical 
information, as recited in claim 1 Nowhere in the cited passage does Yavatkar suggest much 
less describe statistical information on network packets sent over the network. Yavatkar 
describes a watchdog agent that monitors tor traffic having characteristics of a network attack. 

Yavatkar does not disclose that it collects statistical information on network packet 
traffic, in the instant case the reference is devoid of any discussion of sending queries . . . 10 
request the statistical information collected by data collectors. 

Claim 1 aiso requires sending queries to data collectors. However, Yavatkar describes 
that the bloodhound agents ''scH'Ucstnict.'' Thus, the watchdog and bloodhound agents are not 
described in a manner m which the watchdog queries the bloodhound agents, indeed, once a 
bloodhound agent sends its report, it self-destructs, which in Appellant's opinion, making it 
difficult for the bloodhound agent to respond to queries. 

Yavatkar does not describe that the bloodhound agents are responsive to queries and in 
particular queries for statistical information. Rather, Yavatkar is directed to a process in which 
bloodhound agents arc instantiated node to node in an attempt to trace the path of an attack. 

Claim I further distinguishes since Yavatkar fails to disclose: ""processing the statistical 
information to determine the source of suspicious network traffic sent to the data center." The 
examiner contends that this feature is described by Yavatkar at coi. 3, lines 25-3? and coi. IS, 
lines 32-53, which passages are reproduced below; 



The system ami method (if an exemplary embodiment «f the present invention 
sjsc agents-mobile software modnles-to colic-el data on the state of a network 
during ;s network attack, ailowmg for more accurate diagnosis of an attack. fh<rhi« 
a tii'ivviirk attack, the system and method of the present invention afhrn- for details 
on the attack traffic (e.g., the von ret* of the attack traffic and path of the attack 
traffic) i:> tit gathi-i-ed. The source, of the attack traffic may be the originator of the 
attack trafiu- or, for example a gateway aikwin« attack traffic to enter a network 
and which h, in effect, the source- of attack traffic to the network, Such infwmatiotf 
then may tie used to halt the attack or insulate the network from tin.- attack. 
(Yavatkar col. 3, lines 25-37) 

Tt> report, {tie hloodhnntid agent moves across the network t'.i the node of its 
iaunch point and presides its findings to the watchdog agent. The bfoodhnund agent 
transmits the dat.t it has collected to the watchdog agent ustB$! a messaging service. 
After reportin", the bhtodhotnid jgent is du\tio>tf). in an exemplary embodiment, 
fke bloodhound agent provides to the watchdog agent a report indicatio" the path 
or path* for a pvhi«» (if the path or paths;) taken by the attack traffic arid, possibly, 
the source of the attack traffic, f he source may be indicated as a gateway allowing 
access t(? other networks: in such a case the indicated source is not the ofti>itiat»ii> 
Mrttree of the attack. The path as described by the bloodhound agoni comprise* iiuks 
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nod >. I inks nia\ H <iii.iof.et* us) no p.nrs . ( f poif mxU tOfiitiinatMtx. I 
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description contained in the applicant's specification." [emphasis 

According jo Morris, the examiner must apply the broadest reasonable meaning to terms 
"in iheir ordinary usage as they would be understood by one of ordinary skill in the an/' The 
examiner has not provided any rational basis upon which one of ordinary skill m ihe art would 
construe "sending queries to data collectors'' as the same as launching bloodhound agents based 
on ihe type of attack delected or construing "statistical information on network packets" as 
"gathered information.'' For example, the examiner states: "The gathered information is equated 
to the statistical information because the claim language merely recites statistical information 
and does not specify the type of statistical information that is collected." 

The examiner errs, since claim 1 does specify the type of statistical information collected, 
namely, statistical inlbrmation on network packets. Had Yavatkar described collecting statistical 
information, then Appellant would have narrowed the scope of "statistical information." 
However, Yavatkar, in fact, fads to describe ''statistical information on network packets.'" and 
thus all that Appellant needs to distinguish this feature over Yavatkar is the act of "collecting 
statistical information on network packets." 

Rather, Yavatkar describes gathering information as: "garnering information about the 
traffic on the network by launching an agent and having the agent iteratively identify which oi 
the links on ihe node on which the agent operates accepts a type or class of trai'ik. traverse the 
identified link to the node across the link, and repeat the process." [Yavatkar Col. 2. line 56]. 

Yavatkar also discloses: "In such a manner the path or paths, or a portion of the path or 
paths, of attack traffic between the source of the attack traffic and the target node may be found. 
Thus, Yavaikar teaches that the bloodhound agents trace the path ui the attack. After gathering 
such path information a bloodhound agent reports to the watchdog agent. [Yavatkar Col line 
!6i. 

In Morris ihe specification lacked any text to guide the kxaminer in construing what the 
di <puful claim tern, meant Based on the absence of any such text, the Court staled that the 
Fvsmmci 's nfteipjetati'm was reasonable: 



Absent an express definition in their specification, the fact that appellants 
can point to definitions or usages that conform to their interpretation 
does not make the PTCs definition unreasonable -when- the PTO car": 
point to other sources that support its interpretation." 

hi the present application, the written description discusses querying data collet tors and 
statistical information on network packets in great detail. There is no ambiguity, as there was in 
Morris. Therefore, by construing querying data collectors and collecting statistical information 
with totally unrelated concepts, the examiner improperly ignores the meaning that these features 
have in Appellant's specification and improperly conflates them with unrelated teachings such a 
''launching bloodhound agents'" and "gathering information" disclosed by Vavaikar. 

Appellant does not ask the examiner to read limitations into the claims, as was the case i 
in re Van Geum'. In Van Geum, the specification disclosed a magnet assembly used for NMR. 
The claim, however, recited a magnet assembly that, provided a uniform magnetic nekl with no 
mention of NMR. The cited reference disclosed a magi let assembly thai, generated a relatively 
uniform Held. Van Gains is inapplicable to the present case, because the claim elements, e.g., 
querying data collectors and collecting statistical iniomiation are expressly defined in the 
specification and positively recited in the claims. 

Appellants claims recite particular features and the examiner must find those features in 
the prior art, rather than conflate them with non-relevant teachings. Therefore, die specification 
is available to help the examiner understand these features and the examiner may properly 
review the specification in construing a claim term. In the present case, the Examiner is 
attempting to construe these features without the benefit of the guidance offered by Applicant's 
specification. 

In response to Appellant's argument made in Reply to the final action, the examiner 

stated: 

Uut uJtiitt my int»rmtt!<i>n ( st imitctl liitoi roatfosi) d lsitxs<it<,u<t)<; »««« 
sqn>rt* u> Ok *ji.ltd<. s > ai,ens autiiniJticaih i\itm<iit !i> fsir tht 

^aivhiiwi. J«.<'ii( t * iet)iiv»t the i«t») xutuxi KvduM iite ruiuiM h i«. hmi i\UbhsW(\ 
$•)>* i? ! iv neaiten i4 tilt itiijodwn ml a«oni <ind thtrUort i vmxkk! si'fjWit !•> ni)« 
«f ukd 5 ti«ei«u, .A<iiL« t n< una oi the i>hn«lh<m(itf »■,«»»-> ar»i «jtnum« H the 
i!tf,!rm.tt!(t!i h\ ibt jguits ssu'Us t!u MOjH- tff tht turn ntiy tli'inm iimiUtum'. 
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t :,.'ip - , ,a_^ 

. i .he \ii]'iiso ot is^ ipne Ion \ Claims 4 and 5 stand or (all together Claim 4 is 
fen <^e r.ne. e o^ :\ - <auaif e! danu.- 
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Claim d distinguishes over Yavatkar .since Yavatkar neither describes nor suggests that 
determining is performed by a control center that receives ihe statistical inibnnation iron! the 
data collectors and includes sending data to/front a gateway device that is associated with the 
victim data center. 

In Yavatkar the watchdog agent does not analyze traffic to determine the source, the 
analysis is performed by the bloodhound agents*''* indeed the watchdog agent creates ; 1 the 
bloodhound agents and indeed the watchdog may not even be needed. ! " Rather, than analyzing 
to determine the source, the watchdog is provided to monitor 1 " and launch 54 bioodhound agents 
and report to an operator/'' 

Accordingly claim 4 is allowable over Yavatkar since Yavatkar does not describe ail 
elements of a claimed invention arranged as in the claim Cotwdl supra. 

Cl aim ft 

Claim 6 requires thai the queries and the statistical information are sent over a. redundant 
network that does not carry the packet traffic to deliver collected statistical information to a 
central control center in response to the queries sent iron; ihe central control center. 

The examiner does not explicitly address this feature and instead merely points Appellant 
to Fig. 3. Fig. 3 is reproduced below: 
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Figvm 3 

Yavatkar** Fig. 3 merely .shows a network with nudes and links. Yavatkar doe* not 
describe a redundant network that does not carry the network traffic, to carry the statistical 
information in response to queries to the control center. Accordingly, Yavatkar neither 
anticipates nor verifiers obvious claim 6. 

Claim 9 recites that if a source of the attack is behind a gateway, the control center issues 
a request to the gateway that the attacking system is behind to prevent the attacking traftie ... 
from reaching the network. 

Yavatkar describes "After gathering such information a bloodhound agent reports to the 
watchdog agent, which in turn, may report to a human operator or. possibly, attempt to halt the 
attack.'" However, Yavatkar fails to describe that the bloodhound will issue a request to a 
gateway. Yavatkar mentions that in respond mode, the watchdog agent may attempt to halt the 
attack by either launching an agent which alters routing tables or altering the routing tables itself 
Yavatkar also describes launching an agent which functions as a iirewall or installing filters, 
report findings, communicate with network administrators so that the network administrator may 



asc tho findings to v uio the pu-Hem <(% in t o event does Yavafkar describe that the watchdog, 
vt;ueh the examinu mulogi/od *o the control center of claim 9, contacts the gatewav. 

Claim J 5 

t hun 1> adch the JCtitute oi reeen ing from a gateway ... a notification thai the victim is 
under attack. For the reasons discussed in claim I , the combination of this feature with the 
ieausres of sending queries to data collectors ... that ... eoileet statistical information on network 
packets . and determining the data center(s) . . . involved in the attack . . . by analyzing collected 
statistical information from the data collectors, makes this claim allowable ever Yavafkar 

hi addition. Yavatkar does not describe: "the queries being requests for statistical 
information frv>m data collectors that have examined network traffic with the victim destination 
addi ess . . . ." Yavatkar does not make queries and does not make queries to data col lectors that 
have examined network traffic with the victim destination address. Rather, upon detection of an 
attack by the watchdog agent, it launches the bloodhounds that trace the path of attacking traffic. 
No queries based on victim destination addresses are sent to the bloodhound agents by the 
watchdog agent. 

Claim..!*? 

Cknm ,\iviic vom,ui'mL,atm«. Maij-tk.ii .mormat or h<n he „<.o toK v j\e 
to/from a j»uk"ui^ do ^e *hai is ctsposed \\ ith Ciu <■ sUr>> eal<i tei s ..US * ro, 
describe ( v^' m v iR^tm^ >ut sj(_al ion>tnMtuii. ..idu ,unK.i!a5 c in-'i, ,-m.M _ -\jmu 
iniitrmatii - *' ir * .<„ u«h < +er to 'ion aguVv.r, oVsai ''tat \- J's ' v< { c ^ v * JlT} 
data center. 



w Aster a response from the bloodhound agent the watchdog agent transitions to the respond mode, in the respond 
aodw^vwi ia \ s ui m ,ntvO t k o h^U tbi i li^k S otv\, T].k Ut v «it< hdo|. " m <» n sin,!,!, i < rt 
which alters touting tables to prohibit traffic from a given scares from entering the network^ or rosy perform- such ;m 

' Hi n ti U < Uilayu m hiro n a^nt ^h \ tr ti is -> T tt<. i s o iu< nn \t p 
{joins i k r-i v. roui ns tn^v* p > nt toi au KuitK lit vnhji s uni u> ist S sv. m 
w s tk-dut j a\ i t o iw nl *h b. p <r» u** atu J n fh i« m >\,ij; krw irJtv" IU > tasdu j ; s i 
report hndiP > iV ; > , Eh. soaas. <-l tiv «U»vt <be 5 ath ox paths tAen K ut^k ini*\ So i tictvu d adr nvsirit n in 
m exemplary embodiment the watchdog agent communicates with network administrators via a management 
console application; aitemase embodiments may use other methods. The network administrator may use the findings 
to cure the problem. After attempting to halt the attack or contact an administrator the watchdog agent transitions to 
the monitoring mode. 
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QMmJl 

For analogous reasons, as in claim 9, claim 1 7 is not described by Yavatkar since the 
rcicrcnee does not describe that ... the control center issues a request to the gateway to block the 
attacking traffic, 

Claires 2 0 : . 2 i HndJ6-2S 

For the purposes of this appeal only. Claims 20, 21 and 26-28 stand or foil together. 
Claim 20 is representative of this group of claims. 

Claim 20 is directed to a system to thwart denial oi' service attacks. Claim 20 
distinguishes over Yavatkar since Yavatkar neither describes nor suggests a plurality of monitors 
dispersed . . .collecting statistical data on network traffic, a control center coupled to the plurality 
of data collectors, the control center executing a computer program product . ., comprising 
instructions . . . to receive . a notification . . . and in response to receiving the not] ilcation send 
queries to data collectors to request the statistical information from the data collectors, the 
statistical information used to determine the source of suspicious network tralfsc . . . and a 
gateway device . . . disposed to protect the . . . data center, and . . . coupled to the control center. 

Claim 20 is directed to a system including a plurality of monitors that collect statistical 
information on network traffic, which arc queried by a control center in response to a notification 
that the data center is under attack. 

Yavatkar does not describe such an arrangement. Rather, in Yavatkar in response to a 
notification of an attack a watchdog agent deploys bloodhound agents, which report on paths 
from an attack and then self-destruct. Yavatkar docs not describe the bloodhound agents., as 
collecting statistical information. Nor does Yavatkar describe that the bloodhound agents arc 
queried by the watchdog or that the watchdog sends queries. The bloodhound agents do not 
persist but rather seli'desiruct and hence cannot meet the limitation of the monitors, since the 
monitors are required to be coupled to the control center and respond to queries from the control 
center. 



Clam* 22 is not described by Yavatkar, since Yavatkar does not describe that the control 
eenier further comprises instructions to determine a source of the attack on the victim data center 
by analysing collected statistical information from the data collectors. 

According to Yavatkar the bloodhound agents trace aji attack. No mention, however, is 
made. in Yavatkar of analysis by the control center of any information, m particular, statistical 
information to determine the source of an attack 

Claim. 23 

Yavatkar does not describe that the control center and gateway device associated with the 
vtotnn data center exchange data including statistical information to thwart the attack. 

Chum24 

Yavatkar does not describe that the data exchanged between the control center and 
gateway device . . arc sent over a redundant network that is a different network than the network 
that is being monitored by the data collectors. The examiner has not .shown that in Fig } of 
Yavatkar a separate network that does not carry the monitor traffic is used to communicate 
between the bloodhound and watchdog agents. 

Claim 25 

Claim 25 is allowable for analogous reasons as given for claim 9. 
Claims 29 a nd 32 

for die purposes of this appeal only. Claims 29 avid 32 stand or fall together. Claim 52 is 
representative of this group of claims. 

Claim 29 is directed to a computer program product . for protecting a victim data center 
against, a denial of service attack .. .comprising instructions to .,. send queries to data collectors 
• - • thai ■ ■ • sample network traffic and collect statistical information on packets sent over the 
network, the queries to request statistical information from data collectors that have examined 
network traffic with the victim destination address and determine a source of the attack on the 
victim data center by analysing collected information from the data collectors. 
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\ e.atkar tixiw not dc'enbe sikh an anan^eirent i .oatkar dc^abe- '; v\atebe.og a^pt 
\}\x> eepios^ h; uo JL (iLmi l aucins that iqvtt on paths msohed in au att kk aro ivn ser d<^ni.ct 
bbe v-itdvot' .i..vn; J<kv i.ot suui .jueiiCN to the data eolUxtojs uat u>Uee: staLsi ; cai 
'tdUmatiun tn>; Mtat can respond to the quenc^ based on the \ fctm eesL-unon .address 
Y;oatka; dots aot deseifbe ate, pieces*, ihut determine-, a souice o l the at\>ek akcu on anah^s 
t>S she eo'kvk'J st nstica. mtuntMtiiMi Rather m Ya\<ukar the anahs;s ts ru^ed on paths 
kLnutvd hs the bloodhound agents hciore the hloudhunnd agents sek -devt-k* 

Claim 30 

C hten }<i teeatie? uwa^uojis u>- 'Send dat \ ate ud>m< -tati^wtl a-uo-nurton hetwt.cn a 
^utew n de\ see V-v? l-> disposed w tth the \ teMn dat t center and a eoisHv vctstei " f : ten n 
allow able ioi asw.oeoao iaason^ a- guen *b: chinn 16 

Chasn 33 

i him v -n flow ah i- v> analogous reasons as lt\ci: foi dams '-) 

2, \ auitkar et al.. '702 m \icw of iliii ct al. -804 
fail fo render obvious Claims 13 and i4. 

Uamis ! o and 1 4 

)\k h a: claims j ^ and i -5 jic ,Jlov, able at least bccae.se e! the katire.- teemed in . I cm 1 
-ir.ee \ as.-.h^; oo 0 s not atnu.paU: ela-ir 1 and Htll doc- rot asie *bc de;ktenc!Cs at s j\aika' as 
noted tn the above a:t:uirn.nt i wine', the esatmner \cas HiM n< teach v;\.>s^ \r? amck.> a,- \\ 

:bc seven t\ oi ibe attack m the network ( hii 3 eoi 2 line.* ^-<-n eol o i:nes Q ' 
^ppdUnt r.oteo du' the teachings at Hd; are directed to at\iek sannlation lot to an aeiiui afaek 
i>i a s\akm V eettv" and ds^ast ^n attack 
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Conclusion 

■typeii.mt suhcius ti,dt (Xnm? I-.v ,ho patentable o\u the uml 
Respectful iv s n brri i tied , 
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Appendix of Claims 

1- 4 1 wiwi r'o'c*. tni 0 a ( .iLi cental jiivtii^t item i-m^ A.x \ + hc n t lod 
comprises'. 

i v\f v ks \MMta u«i eetoi ■> .lepk^ ed at e ,{eie-r pon ^ l ,d\o'l h/oativs 
iK-iHO'i r o ! vd> ,vt..,to', i tC(.tav<to)!kxt(.^ o k>< { ^ t* - <*.«.! it hm. \<> l u.k^oil 
PjilI^is seniou, t\< retuoik t w curies ttMequest tfiv. ^utistua frfo -n,a<t>> s, n>u i. 

of Ua d.a\ UVotN ird 

^eikhmj ij su uhk.i! lU^tmapon imni the dot . ^oJ^.^js ,n i^p ^rv + c> iiv uu ties t \xi 
p'Ovt^sirgiA stat-s-v* m^m^m to dc'u.nsne me -.oust*- of s^n^o ^ <s_ ^jk 
tratiie sent to the data center. 

2 I !a n.efnou of <. a,M) 1 v hi-; em the pU\u>-k paekos f.»r, J v a, ^kei :u\>.- faked, 
ranviori ^<Hin,e t<i«\es-,e- tfjjt tharue \% A\ iriit* uui M-rdire, que lis iattnc o'npn^ts" 

^. Jh^ que-K- umU d i\, t,w>k\\>t- \n the -,{<>j^Kal i rot ia isn has- u on vs-Mim 
deMinattOr aaY-^s 

' ^ -uUl'od (.fanu i nheiem ptooev-n^ *U!thei eM-rqcws 
Jevnn nix s.' lion! at in past, he t.o!)Cued s\\i> i< c\ \"s + oinia son, \\hat data centers 
an u \tii\i.e i, lie as\;ek o'\ ;X ^ \ inn ea*d « cutei 
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4. The method of claim 3 wherein determining is performed by a control center thai 
receives the statistical Information from the data collectors, and determining further comprises - 
sending data to/from a gateway device that is associated with the victim data comer. 

; The r*i thee ofj.aim f tk <aakv,a\ ,denr + Vs tV retwoik jtddre^ o->L< 

s s , . \ i/es-ai e in ire ( o'vaoi i erne: 

f> f he iretvd of claim 1 \\ heem +{ e queiu ard t te n{ m-t-^f trio~m:it or aje sent 
.woi a , :G,.i,hli,u ^.eUotk iui Jvto ni-t catt\ the paeke* e.dln \> doinu o>\Lvkd >Ui: ~!.\.a) 
•irbrria.tioin to a -em* e<uu v <>l eeiA-i iu lespon^e to t<,e queue* ^ent uom Ma. eeatml control 
center, 

" : . I he method of claim 5 v, herein menage indicates sin.- type of arrack. 

I s llvav! t^d of claim I v, hen ir a soto>.e <u the akav 1 .s K „ inda_atOAa\ 

ik ret i'id of chum 8 ^heietn if a ce o + 1 ie ara^ semre a galore , t,<_ 
i*'(>' ^< rv i ^aos ti teqi es" to the iaucv ( a\ that the at\xkm£ sss+er, i- ovhtv to p;ewtf the 
uiun k re *vd tnv »r«™i nnacKing system from reaching the network 
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' ! .v m u od . , chum \ w ictur it a v*um oi rl < att i. . is hoi uu! a j. t ewa, Ve 
i> v ^ l,i >t 0 a ^uivvii . -s>io n ^ Mara sele.V eh disc ads 'njttu anrcai ^ to Do 
v m huoj t , in . it 4 h< v.ontans the \tumi dogmata n addt<.s> 

1 1.. 'the method of claim 1 wherein if a source of the attack is not behind a gateway, 
the control center queries the data collectors to provide information about, possible locations of 

the attacking system, 

I he method oi elmn 1 w hot em ri a ^outee of site araek ts not he a nil a s:atewa\. 
i to method hittrof tonmnses 

conta-.m^ aOtmmstr doto at ^outturn- tmohod m lite aitaek to ita\e the admm^tmtots 
lake aJj>>n to j}':e r oU packet- Atth the destination addrt^s 

1 3. The method of claim I wherein the attack is a low-grade spoo ling-type of attack 
that does not compromise network traffic How between the victim data center and internet. 

1 4. The method of claim 1 wherein the attack is a high-grade attack that compromises 
network traflic flow between the victim data center and Internet. 

1 5 A method of protecting a victim data center against a denial ot'^m tee attack, the 
method comprises : 

receiv ing packets with faked, random source addresses; 



reserving, from a gateway disposed near the victim data center, a notification thai the 
ictifn dam center is under an attack; 

sending \nak to d^ t to'leaoi^ denized at Juiciest oo\!.s v\ c \<»\\ "k Ik , i an\e 
c'a ^ik *Ki"k to i \ < <1m Jau eeniu no dat i u>Ikc5m\ ti< Maniple uv,^ vk p.\ker- and 
A Maii->.Ka ^ otm - u>n en net u oik packets vent o\ ^ the refvunk- the q:.v. Vaig 
v.kMs !<>' -kit^j< .\ a\ - najon lU'ii d tta » olleUoio Pn l\no „\ar st^a , UvuO evJh_ -\ 1 1 
■n. \ \Ui.i desi .aUer add'e-s j»J 

JvtCMieLi it.' ne eata eei/a 01 ten ei * m\ o!\ ed m the aaat t, *r + Le \ «• fa\ o\\ . <. e u< t !- / 
•aK'KiL' c<*l ll*^ 1 star ex i nuojria'ioij nem the data voUeUoiM 

16. The method of claim 15 further comprising: 

-otnnuj^ieaLng Mat tstica 1 mtonnajon from the control center lo/rrom a gateway device 
lai .\ disposed w % ih the victim data tenter 

i ~ I-te method ckum U< uheiun if a *ouiee of me attack ^ hchtnd a gateway, the 
niie) eemu' wsC" a '■CijneM to the gitc\va\ to Hock t!iL attacMt^ uuilk 

t ^ method ot claim ' 7 whet em tf a muukc <u uk atud ^ hcmtJ a gateway, the 

ttt^:^ selectee'? disv.aids trahk that appear to lx» maacou> Uaftk jrsd thai contains the 
icti'ii oesttnat'ors 'uldre.->s 



i '■■>. The method of claim 1 5 wherein if a source of the attack is not behind a gateway, 
the method comprises: 

.'onUenrg administrators at locations involved in attack to filter out packets having the 
dcst.tnat.3on address. 

20, A system to thwart denial of service attacks on a victim data center, the system 
comprising: 

. pL ahK ti meu\ofs dispersed dinmghoo* *. tvtvoik ihemomtoi 1 vol tcfng statist „ai 

« cor j»\ (.oMiu e <rpled t o 'h^ ri'rjlu^ o* Juj^i] -eu> ihe to.iLo! t e \c -xeea^m 1 . 
vompVe. pjOi.^,ri \ tmiac* Mo.wi <>n . k i ipitu ^e.uLhtc aied.vin. s.> 'tip'.-ny u it-u-w '<m- vi 
eausme. a computer to: 

„vXu w h<>n vhe \ ietsm sue a .iutme.a»<vn that the ^ i> tr"i eata ,crii s MiVer jn 
a;Ki^\ a kj \j ses.vusc to 'au\ir,; die u> ui «.at.on 

.uk v,. a es v - da; t v.olit^u.j^ ie fequcst the statot.«d ai e-*v.u* on jom d 
co' > d^ r s -he -tat Vio i ,i"u >ju< r .tsod T o eetur-Mre the -»we o T on-. \etw<>^ 

iraS.i'ic oemg sent to the victim: 

a jit'i. ocv.u t .ato .vsts ^jviwotL paeketiXt«».cii the Met oik anJ 1 to uct'ii d..<u 
oci.tci lie i>a ev,u\ exposed to protect tht \wnm oaia eeuUi art >v rig c.eapke' k> the v.ontrol 
center. 

1 ! \ he -ssten, o 4 v. a a\ 20 whet em the d^a i oHov-toi - u>i'u . ^ati\ta.ai 'aV'-uaunn 
on network packets that pass through points in the network that the data collectors monitor. 
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22 I he ^ .>'s."ii nl < > »:n '0 whereui the eoniu}] cobles kntboi tompuses ir.Miuciu>ii^ 

to: 

do t.,r * o a - hmoo o 4 ( i ■ ttk\ k o be \ ittirn J -\ . ceniet h\ maK a t u t oLoi te i 
st; i t'vdi iiJti ^idl s bun Jk-iLui 'iuto -s 

„•> . i dana "'Uwneiem he eomiol tea e. ex ^.ov >n do i,.e oSs<.><.,uted 

with he^Atr d«t w\,ei ^stLi s< t data iriUdtr^ <-2istku hJffj t^tio 1 ' avasU't tk 

24, The ,-sstem of elatm uhetetn data ev.har.i;ce hetxsetu Mie t^niro; mentor ami 
^atewa\ dovscc a->M.>v.»ated >vnh the worn data center ate ->e:it o\ei a ledendait nemois. thai is a 
ditto cut netwoil than, the network ikr ;s being niontt^ied b\ the data e^lk-etois 

25 H;t s\ nun oi ebun 20 wherein u the eontrc^ ctnlet determine^ thai the ^oaree ot' 
ihc attack ia behind a gakwav tiit e<mh<>] center kssuts a mjue^t t^ the ,.-ato\a\ [haH;<, seuitc 
id the attack h behind u> block the Stacking nattk 

2<a iht s\otetp <u el.am 20 wherein ti the tonttvi tenter titters- ant i thai die ^unee ot' 
the attack i? bdend a gateway the c^ntr^i center i^ues a R-que-.: to the »ato\ a\ \> seieetneK 
disc cd uaiilc th;a contain-; the Mctim destination address 



i he oyster, i of ohms 20 >\ neien. n the souk e *>l the attack s- u»t hetvud a 
^atew a>, Ihe v.onLol cento quene> the data tolkMOis ;o psoude ,'ih'fn^ion j-Miit possible 
locations ol the source of the attack 

v n llv Avtcna'Mn/"*" u.iir 1 vnua -[ T be a\ a.1 ^ ! Knmd - 
ga\ v* t p 'Ik >^ v or, nco < cs 5 sstua.or-- to <-o,)taU adnnomtatoj s J cuooed ,1 J, >>J 

to h*\ ! v a h.i 1 ^auto'-s Li^ action to jhc <. u* paekeh >v:h *Le s jekr\ Jc*' lafu n adces- 

29. A computer program product residing on a computer readable media for 
protecting a victim data center against a denial of service attack, the computer program product, 
comprising instructions for causing a computing device to: 

receive a notification that the victim data center is under an attack: 
send queries to data collectors deployed at different points in a network that carries 
network rraffic to die victim data center, the data collectors to sample network traffic and collect 
statistical information on packets sent over the network, the queries to request statistical 
information irom data collectors that have examined network traffic with the victim destination 
address; and 

determine a source of die attack on the victim data center by analyzing collected 
information ironi the data collectors. 

I'll' u> npa.c piOL.am p'oduct ot eia.ru J > tutihe T .ouip.i^' st.' x T iMJuetvi-i io 




Edward W. Kubler, )r.,etal. 

09/93 1.48? 
August 16,200! 



Attorney's Docket No.: S 222 1-00600! 



send data including statistical information between a gateway device that is deposed with 
the victim data center and a control center. 

3 1 The computer program product of claim 29 further onnpTJMiu; ms*mUt.->r.s •■ • 
determine whether the source of the attack is behind a gatcwav md % f Ha s v >u-< c • the 
attack is behind a gateway, 

issue a request so the gateway to block the attacking traffic. 

32. The computer program product of claim 29 further comprising instructions ur 
determine whether the source of the attack is behind a gateway and if the source of the 

attack is not behind a gateway. 

send a message to contact administrators at locations involved in the attack to lilter out 
packets having the destination address. 

33. The method oi claim 1 further comprising: 

receiving from the victim site a notification that the victim site is under an attack 
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